Posted by: Ken Harthun
Opinion, passwords, Security, Security best practice, Two-factor authentication
The time required to break an eight-character password has dropped to two minutes. A seven-character password–-the minimum currently required by PCI-DSS for retailers to protect stored payment-card information–-is compromised in seconds. (Read more: http://www.storefrontbacktalk.com/securityfraud/kill-all-the-passwords/#ixzz13sqR29Do). That’s why I have gone to 10-characters as a minimum password length. But there’s a caveat: 10 characters is fine if you can use special characters, but I would go to 12 if you can only use upper/lower case and numerals.
That might work for awhile, but processors just keep getting faster and faster. Before too long, even passwords like H4*$.ndl_@@I1~nRfCsI	()&^%$# won’t be secure enough. It’s time for a second factor. Yes, I know there are sites that use them. PayPal is one of them (I use their security key-essentially a time-synchronized one-time password). It’s also integrated with eBay. Banks and other financial institutions seem to be slow on the uptake, however.
When I log into PayPal or eBay, I’m not the least bit worried that someone could hack me. Even if there is a keylogger on my system, the fact that my strong, 10-character password is augmented with a random, non-repeating six-digit token makes it highly unlikely that anyone in any known universe is going to hack me within any human’s lifetime. After all, even if the hacker knows my password (factor 1-something you know), he still won’t be able to enter the security key token (factor 2-something you have) because only I have that.
I’m not saying for a minute that passwords are completely dead, only that they are no longer sufficient as a single factor authentication method. I’ll explore alternatives such as sequential one-time passwords and other methods in a future post.